Access denied to cross account S3 bucket when using QuickSight - amazon-s3

Background
I am working on a task to generate AWS QuickSight report in Account B from AWS Systems Manager Inventory data in the Account A S3 bucket (s3 sync).
I have successfully added all the resource sync data in to cross account (Account A) S3 bucket using SSM resource data sync. Bucket is encrypted using AWS-KMS key (key is located in Account A) and same key has been used in resource data sync in the all accounts to add data in cross account bucket.
Moreover, I am using Athena in Account B to create sample database and schemas from S3 Sync data.
Problem
Athena can create successfully database and schemas in Account B and also add metadata from Account B to Account A S3 bucket. It keeps showing access denied when I am trying to see "preview table".
Error
Your query has the following error(s):
com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 3F5896D43C82733B; S3 Extended Request ID
(Path: s3://bucket/AWS:Application/accountid=../region=us-east-1/resourcetype=ManagedInstanceInventory/i-..json)
Athena and QuickSight are working in the account where bucket and key are located, but I am want to keep bucket in different account.
I am trying to implement Best practices for patching your AWS and hybrid environment, but with different account and with KMS key.
I have followed all the document about Athena cross-account access with KMS but no luck. Also added decrypt IAM policy to QuickSight Service role.
My IAM role has full admin access. It uses assume role.
Can someone guide me on this issue? Thank you.

If you're i
If you create a resource data sync for an AWS Region that came online since the Asia Pacific (Hong Kong) Region (ap-east-1) or later, then you must enter a region-specific service principal entry in the SSMBucketDelivery section. The following example includes a region-specific service principal entry for ssm.ap-east-1.amazonaws.com
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html

Related

AWS Quicksight - transfer ownership of a user resouce before deleting it by API

When I am deleting a Quicksight user by AWS console, there is a option to transfer all the users resources to another user. However by API (boto3 delete_user), then I deleted the user, the resources stay orphaned. There is no option about transfer this resources. Does anyone has any idea about how I can handle that by APIs?
I believe the following document addresses the question. It does refer to resource retrieval AFTER deletion but should be valid for PRE deletion too.
https://aws.amazon.com/premiumsupport/knowledge-center/quicksight-access-resource-deleted-user/
The referenced commands/apis are:
aws quicksight list-analyses
aws quicksight update-analysis-permissions
aws quicksight list-dashboards
aws quicksight update-dashboard-permissions
aws quicksight list-data-sets
aws quicksight update-data-set-permissions
aws quicksight list-data-sources
aws quicksight update-data-source-permissions

Cross account codepipeline using pull method

I'm trying to create a cross account codepipeline and there is no appropriate document for this scenario.
AccounT - A has s3 bucket with yaml file
Account- B Will have Codepipeline
Account B codepipeline should have S3 as source in source stage from Account A and cloudformation deploy method in deploy stage. Can someone please help on what are the roles and other needs has to fulfilled to achieve this task.
There are two things that you need to make this work.
Your bucket needs to use a customer KMS key, not the default. This is because you can't grant permissions to another account to use the default key, meaning another account can't decrypt the data in the bucket. You need to grant permission in the key policy to allow the other account to decrypt using that key. Ideally not just to the entire account, but the role that is being used in your CodePipeline source step.
You have to grant access to the other account in your S3 bucket policy. Ideally not just to the entire account, but the role that is being used in your CodePipeline source step.
I have a project that does some of this using organizations. It isn't exactly what you want, in that the CodePipeline in my project lives in "AccountT" and the pipeline runs CloudFormation (or other things) run in "Account-B". So in my case only CloudFormation is reaching back to the bucket in "AccountT". I don't think it should be a big change to modify it to work the way you need it to work. My project is largely based off this AWS article.

We were unable to update QuickSight permissions for AWS resources

We were unable to update QuickSight permissions for AWS resources. Either you are not authorized to edit QuickSight permissions on AWS resources, or the QuickSight permissions were changed using the IAM console and are therefore no longer updateable through QuickSight.
When I click on Manage Quicksight on top right corner in AWS Quicksight then going to security and permission Tab then ADD or Remove Tab when i add S3 bucket then Amazon S3 . When I update then I get the above error. Now Successfully I sort out the issue. Just Going to AWS IAM Policies Tab filter Quicksight. you got different polices related to quicksight like AWSQuickSightS3Policy just updated it and finally the issue is resolved.Thanks

Download from Requester Pays S3 bucket using EC2 identity

I'm trying to list and download files from a Requester Pays S3 bucket:
aws s3 ls --request-payer requester s3://requester-pays-bucket/
I'm running this command from an EC2 instance, but it fails:
Unable to locate credentials. You can configure credentials by running "aws configure".
The error is clear, however I'm still a little surprised. The goal of a Requester Pays bucket is to offload the cost of S3 data transfers to the requester. Since I'm initiating my request from EC2, my identity as requester should already be clear to S3, no?
Can S3 or the AWS CLI somehow automatically pick up my identity from the EC2 instance I'm running on? Or do I have to provide credentials in some explicit way?
You have to explicitly provide credentials of an IAM user which have access to your S3 bucket. Just go to IAM dashboard of your AWS account and create a new user which have programmatic access to s3. After this you will be provided with a secret access key and access key ID.
Then login into your EC2 instance, run command "aws configure" in your terminal and you will be asked for access key id , secret access key , default region if you want to provide ,just enter these details and you are good to go with your command.

How do I create a s3 bucket, IAM user with full access to S3 and how do I pass the users credentials to my application?

I am using Amazon cloudformation template https://s3.amazonaws.com/cloudformation-templates-us-east-1/PHPHelloWorld.template to setup my application. I need to create a S3 bucket and a IAM user with full access to S3. My PHP application would need the credentials of the user created to upload files to s3.
How do I create a s3 bucket, IAM user with full access to S3 and how do I pass the users credentials to my application ?
Also I have to install the Amazon PHP SDK and some softwares, what are the entries I need to add to the UserData section of PHPHelloWorld.template
Thank you
The example template list contains a template for giving an IAM user full access.
Somewhat counter-intuitively you don't set any properties on the S3 bucket, it's either on an S3 bucket policy, or the IAM user.